b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n       eAUTHENTICATION PROCESS\n\n\n      October 2011   A-14-11-11115\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xef\x82\xa6 Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xef\x82\xa6   Promote economy, effectiveness, and efficiency within the agency.\n   \xef\x82\xa6   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xef\x82\xa6   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xef\x82\xa6   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n   To ensure objectivity, the IG Act empowers the IG with:\n\n   \xef\x82\xa6 Independence to determine what reviews to perform.\n   \xef\x82\xa6 Access to all information necessary for the reviews.\n   \xef\x82\xa6 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                             SOCIAL SECURITY\nMEMORANDUM\n\nDate:      October 14, 2011                                                       Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s eAuthentication Process (A-14-11-11115)\n\n\n           OBJECTIVE\n           Our objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\n           current and proposed electronic authentication (eAuthentication) process 1 creates a\n           strong, secure authentication protocol that meets Federal guidelines and standards.\n           For this review, we focused on citizen-to-government Internet applications.2, 3\n\n           BACKGROUND\n           SSA is expanding its Internet services to guide the public toward performing more\n           business electronically. Some Internet applications involve the exchange of personally\n           identifiable information (PII) 4 between SSA and the public. According to SSA\xe2\x80\x99s Intranet\n           site, these services are more useful and attractive but carry a greater risk of\n           inappropriate disclosure.\n\n\n\n           1\n             eAuthentication is the process of establishing confidence in user identities electronically presented to an\n           information system.\n           2\n            The Agency defines a citizen-to-government Internet application as an application that transacts\n           business between a human and a machine rather than from one machine to another machine.\n           3\n             The Office of Management and Budget (OMB) uses the phrase \xe2\x80\x9cuser-to-agency\xe2\x80\x9d for \xe2\x80\x9ccitizen-to-\n           government\xe2\x80\x9d information system applications. OMB, M-04-04, E-Authentication Guidance for Federal\n           Agencies, Attachment A, Section 2.3, Step 4 (December 16, 2003).\n           4\n             OMB defines the term PII as \xe2\x80\x9c. . . any information about an individual maintained by an agency,\n           including, but not limited to, education, financial transactions, medical history, and criminal or employment\n           history and information which can be used to distinguish or trace an individual's identity, such as their\n           name, social security number, date and place of birth, mother\xe2\x80\x99s maiden name, biometric records, etc.,\n           including any other personal information that is linked or linkable to an individual.\xe2\x80\x9d OMB, M-06-19,\n           Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in\n           Agency Information Technology Investments, page 1, footnote 1 (July 12, 2006).\n\x0cPage 2 - The Commissioner\n\n\nThe Agency\xe2\x80\x99s Internet site supports several types of online Web services: government-\nto-government, business-to-government, and citizen-to-government applications. We\ndetermined that SSA had 22 citizen-to-government Internet applications in place at the\ntime of our review (see Appendix B).\n\nIn December 2003, OMB issued guidance to ensure the protection of security and\nprivacy for online Government services. 5 The guidance requires that agencies review\nnew and existing electronic transactions to ensure the eAuthentication processes\nimplemented provided the appropriate level of assurance. 6 Further, the guidance\nestablished and described four levels of identity authentication assurance for electronic\nGovernment transactions. 7\n      \xe2\x80\xa2   Level 1: Little or no confidence in the asserted identity\xe2\x80\x99s validity.\n      \xe2\x80\xa2   Level 2: Some confidence in the asserted identity\xe2\x80\x99s validity.\n      \xe2\x80\xa2   Level 3: High confidence in the asserted identity\xe2\x80\x99s validity.\n      \xe2\x80\xa2   Level 4: Very high confidence in the asserted identity\xe2\x80\x99s validity.\nThe Agency determined it had 1 Level 1, 14 Level 2, and 3 Level 3 citizen-to-\ngovernment Internet applications. 8 SSA did not have a Level 4 citizen-to-government\nInternet application.\n\nAuthentication is not required for Level 1 Internet applications. We determined that SSA\nhas implemented a process that was consistent with Federal guidelines and standards\nfor Level 2 authentication. The Agency stated that it did not have an authentication\nprotocol for Level 3 applications, but planned to implement a protocol that will be\ncompliant. According to OMB guidance, 9 to determine the appropriate assurance\nlevels, agencies must use the following steps.\n\n\n\n\n5\n    OMB, M-04-04, supra.\n6\n    OMB, M-04-04, supra, Attachment A at \xc2\xa7 1.1.\n7\n    OMB, M-04-04, supra, Attachment A at \xc2\xa7 2.1.\n8\n  During the fieldwork phase of our review, we were not provided documentation for four citizen-to-\ngovernment Internet applications. They were the Medicare Replacement Card, Replacement 1099,\nPublic Fraud Reporting Form, and Child Disability Report. After the issuance of the discussion draft\nreport, an authentication risk assessment (ARA) for the Public Fraud Reporting Form application was\ncompleted and SSA found the authentication level for this application is Level 1. An ARA is an SSA-\ndefined term that is synonymous with the OMB term for \xe2\x80\x98risk assessment.\xe2\x80\x99 In addition, the Social Security\nStatement Internet application was removed from the production environment in March 2011 and\nauthentication reassessments were completed for the Internet Change of Address and Internet Direct\nDeposit citizen-to-government applications. Both applications are now OMB Level 2 applications.\n9\n    OMB, M-04-04, supra, Attachment A at \xc2\xa7 2.3.\n\x0cPage 3 - The Commissioner\n\n\n1. Conduct a risk assessment of the e-government system.\n2. Map 10 identified risks to the required assurance level.\n3. Select technology based on the National Institute of Standards and Technology\n   (NIST) eAuthentication technical guidance. 11\n4. Validate that the implemented system achieved the required assurance level after\n   release to production.\n5. Periodically reassess the information system to determine technology refresh\n   requirements.\n\nTo accomplish our objectives, we limited our work to interviewing SSA employees in the\nOffice of Open Government (OOG); reviewing applicable Federal laws and regulations;\nand examining ARAs and Privacy Impact Assessments. Our review was limited to\nevaluating the process SSA had in place to implement authentication protocols for\nonline citizen-to-government Internet applications. We did not test the Agency\xe2\x80\x99s access\ncontrols for citizen-to-government applications. We will test application controls in\nfuture audits. Therefore, we do not comment on the security of these Internet\napplications. See Appendix C for additional information regarding our background,\nscope, and methodology.\n\nRESULTS OF REVIEW\nSSA had taken steps to implement an eAuthentication process that included key\nelements needed to create a strong, secure authentication protocol for Level 2 citizen-\nto-government Internet applications. For example, SSA had adopted an acceptable\nmethodology to conduct ARAs and implemented a process that validates the identity of\nOMB Level 2 Internet application users. 12 The Agency was developing an\nauthentication protocol for future Level 3 citizen-to-government Internet applications that\nwill meet Federal guidelines and standards. However, we identified areas that needed\nimprovement in the Agency\xe2\x80\x99s eAuthentication process to ensure compliance with\nFederal guidelines and standards.\n\n\xe2\x80\xa2     Four citizen-to-government Internet applications did not have documentation\n      reflecting that ARAs were conducted as required. 13\n\n\n\n10\n     Mapping is the process of matching potential impact outcomes to appropriate assurance levels.\n11\n  The selection of technology referred to in OMB M-04-04, Section 2.3, step 3 will be based on NIST\neAuthentication guidance found in Special Publication (SP) 800-63, Version 1.0.2, Electronic\nAuthentication Guideline, Chapters 5 and 8 (April, 2006). An amendment to this guidance is currently in\nDraft. See NIST SP 800-63-1, Electronic Authentication Guideline (December 8, 2008).\n12\n     OMB, M-04-04, \xc2\xa7 2.3 and NIST SP 800-63, Version 1.0.2. See Footnote 11.\n13\n     OMB, M-04-04, supra, Attachment A at \xc2\xa7 2.3.\n\x0cPage 4 - The Commissioner\n\n\n\xe2\x80\xa2      Four citizen-to-government Internet applications did not have sufficient\n       documentation showing that risks were mapped to applicable assurance levels as\n       required. 14\n\xe2\x80\xa2      SSA did not have a NIST-compliant methodology that can provide Level 3\n       assurance for citizen-to-government Internet applications as required. 15\n\xe2\x80\xa2      SSA did not have a process to validate and document that citizen-to-government\n       Internet applications achieved their required assurance level after release to\n       production as required. 16\n\xe2\x80\xa2      SSA did not periodically reassess the information system for 11 citizen-to-\n       government Internet applications to ensure that identity authentication requirements\n       continue to be valid in light of technology changes or changes in Agency business\n       processes as required. 17\n\nFour Citizen-To-Government Internet Applications Did Not Have Documentation\nReflecting That Authentication Risk Assessments Were Conducted as Required\n\nWe were unable to determine whether an ARA was completed for 4 18 of SSA\xe2\x80\x99s\n22 citizen-to-government Internet applications. We reviewed 12 ARAs 19 that addressed\n18 of the 22 applications. We requested documentation for the four remaining\napplications, but no documentation was available. OOG staff commented that before\nJanuary 2009, there was no standard process in place for conducting an ARA, and\nsome projects went through the systems development lifecycle without an ARA.\n\nOMB requires that agencies conduct a risk assessment of e-government systems to\nensure authentication processes provide the appropriate level of assurance. 20 We\nfound no documentation existed that verified an ARA was completed for four SSA\n\n14\n     Id.\n15\n  Id. NIST e-authentication guidance is found in Special Publication (SP) 800-63, Version 1.0.2,\nElectronic Authentication Guideline, Chapter 8, section 8.2.3 (April 2006). An amendment to this\nguidance is in Draft. See NIST SP 800-63-1, Electronic Authentication Guideline (December 8, 2008).\n16\n     See OMB, M-04-04, supra, Attachment A at \xc2\xa7 2.3.\n17\n     Id.\n18\n  During the fieldwork phase of our review, an ARA could not be located for four applications. They were\nthe Medicare Replacement Card, Replacement 1099, Public Fraud Reporting Form, and Child Disability\nReport. After the issuance of the discussion draft report, an ARA for the Public Fraud Reporting Form\napplication was completed and SSA found the authentication level for this application is Level 1.\n19\n  Some ARAs addressed more than a single citizen-to-government Internet application. For example,\nthe Internet Social Security Benefit Application ARA addressed the Retirement, Spouse, Disability, and\nthe Medicare-Only applications.\n20\n     OMB, M-04-04, supra Attachment A, at \xc2\xa7 2.3.\n\x0cPage 5 - The Commissioner\n\n\ncitizen-to-government Internet applications. Therefore, SSA was not compliant with\nFederal requirements 21 for these four Internet applications. Moreover, there was no\nassurance that SSA implemented appropriate security measures for user identity\nauthentication for these four Internet applications. Consequently, these four\napplications may not have the appropriate authentication. We recommend SSA perform\nrisk assessments and retain documentation that demonstrates required ARAs were\nconducted for these four citizen-to-government Internet applications.\n\nFour Citizen-to-Government Internet Applications Did Not Have Sufficient\nDocumentation Showing That Risks Were Mapped to Applicable Assurance\nLevels as Required\n\nAccording to OMB, as part of the ARA process, agencies are required to \xe2\x80\x98map\xe2\x80\x99 identified\nrisks to their appropriate assurance level. 22 This process involves summarizing the\nrisks inherent in the transaction process assessed in terms of potential harm and/or\nimpact and likelihood of occurrence. Agencies link the assessment outcomes to the\nappropriate assurance levels. Quantified results are mapped in terms of their impact\nas, not applicable, low, moderate, or high. This step determines the appropriate\nassurance level for the application or transaction. The assurance level assigned\ndetermines the security protocol needed to authenticate users to the application.\n\nDuring our review of SSA\xe2\x80\x99s 12 ARAs, we found the documentation insufficient to\nsupport that risks were mapped to the appropriate assurance levels for 4 23 citizen-to-\ngovernment Internet applications. As a result, we concluded the Agency\xe2\x80\x99s process was\nnot fully compliant with Federal requirements 24 for these four citizen-to-government\napplications. OOG staff commented that before January 2009, mapping was conducted\nbut was not consistently documented as part of the ARA process for these four citizen-\nto-government Internet applications. Consequently, there was no assurance that these\nfour citizen-to-government Internet applications have appropriate authentication protocol\nin place for users. Lack of an appropriate authentication protocol could result in\nunauthorized use and possible release of information to the wrong individual. We\nrecommend SSA map identified risks to applicable assurance levels for these four\ncitizen-to-government Internet applications and retain documentation that demonstrates\nmapping was completed.\n\n\n\n\n21\n     Id.\n22\n     OMB, M-04-04, supra, Attachment A at \xc2\xa7 2.3.\n23\n     The four applications are the applications for which ARAs could not be located.\n24\n     Id. OMB, M-04-04, supra, Attachment A at \xc2\xa7 2.3.\n\x0cPage 6 - The Commissioner\n\n\nSSA Did Not Have a NIST-Compliant Authentication Protocol for Level 3 Citizen-\nto-Government Internet Applications\n\nDuring our review, we identified three SSA citizen-to-government Internet applications25\nthat were assigned a Level 3 assurance rating. We determined that SSA did not have a\nNIST-compliant authentication protocol for these Level 3 citizen-to-government Internet\napplications. OMB requires that agencies select and implement technology solutions to\ndetermine an individual\xe2\x80\x99s identity based on NIST eAuthentication technical guidance. 26\nAfter an application\xe2\x80\x99s assurance level has been determined, agencies should use NIST\neAuthentication guidance to identify and implement the appropriate technical solution\nneeded for user remote authentication. 27 An OMB risk assurance Level 3 rating\nrequires the implementation of a multi-factor remote network authentication protocol. 28\nAt this level, procedures to determine an individual\xe2\x80\x99s identity require verification of\nidentifying materials and information 29 as well as the user\xe2\x80\x99s possession of a key or a\none-time password. 30\n\nIn anticipation of future Level 3 citizen-to-government Internet applications, the Agency\nis seeking a compliant solution. 31 The original release date for SSA\xe2\x80\x99s new\neAuthentication (eA) system was June 2011. The Agency anticipates releasing the\neA system in calendar year 2012. Therefore, we recommend SSA reassess the three\nLevel 3 applications and select an authentication technology based on the NIST\n\n25\n   The three SSA citizen-to-government Internet applications assigned a Level 3 assurance rating are the\nSocial Security Statement, Change of Address (password), and Direct Deposit applications. After our\nfieldwork ended, the Agency removed the Social Security Statement Internet application from the\nproduction environment in March 2011 and authentication reassessments were completed for the Internet\nChange of Address and Internet Direct Deposit citizen-to-government applications. Both reassessed\napplications are now Level 2 applications.\n26\n  NIST, SP 800-63, Version 1.0.2, supra, Chapter 8, Section 8.2. The amended NIST guidance is in\nDraft. NIST SP 800-63-1, Electronic Authentication Guideline (December 8, 2008). Also see OMB, M-04-\n04, supra, Attachment A at \xc2\xa7 2.3, Step 3.\n27\n     OMB, M-04-04, supra, Attachment A at \xc2\xa7 2.3, Step 3.\n28\n  NIST, SP 800-63, Version 1.0.2, supra, Chapter 6, section 6.2. The amended NIST guidance is in\nDraft. NIST SP 800-63-1, Electronic Authentication Guideline (December 8, 2008).\n\n29\n   Id. According to NIST, SP 800-63, Version 1.0.2, Chapter 5, section 5.2, identifying materials and\ninformation include something you have and something you know that only you possess. For example,\nthe pin and password assigned to a user during the registration process. This is a single-factor remote\nauthentication protocol. When you add the requirement of the user having to provide a key or one-time\npassword, you add an additional authentication level, which then becomes a multi-factor level protocol.\n30\n     NIST, SP 800-63, Version 1.0.2, supra, Chapter 6, section 6.2.\n\nThe amended NIST guidance is currently in Draft. See NIST SP 800-63-1, Electronic Authentication\nGuideline (December 8, 2008).\n31\n  According to OOG personnel, the eA system will meet the multi-factor remote network authentication\nrequirement for OMB Level 2 and 3 applications.\n\x0cPage 7 - The Commissioner\n\n\neAuthentication technical guidance. Further, we recommend SSA continue to develop\nand implement the eA system or an appropriate authentication protocol to help secure\nthe Agency\xe2\x80\x99s future Level 3 citizen-to-government Internet applications.\n\nSSA Did Not Have a Process to Validate and Document Citizen-to-Government\nInternet Applications Achieved Their Required Assurance Level After Release to\nProduction\n\nWe determined that none of the 22 citizen-to-government Internet applications were\nvalidated as required by Federal guidelines. According to OMB, subsequent to\nimplementation, agencies are required to validate that the information system has\noperationally achieved the required assurance level. 32 Because some implementations\ncreate or compound particular risks, agencies should conduct a final, post-\nimplementation validation to confirm the system achieved the required assurance level\nfor the citizen-to-government process.33 OOG personnel stated there was no formal\nprocess in place to address this requirement. OOG personnel also commented that it\nevaluates the online applications and provides feedback on evaluation plans that\nbusiness sponsors create and maintain. In addition, OOG personnel stated that they\nmonitor application activity for 30 to 60 days after release to production, to ensure the\napplication is functioning as intended. However, OOG management stated that\nbecause of a lack of resources, stand-alone documentation to support this activity was\nnot available.\n\nAlthough SSA monitors an application after implementation, the Agency cannot\nguarantee that appropriate security measures were implemented to adequately protect\nsensitive electronic transaction data from possible inappropriate disclosure. We\nrecommend SSA establish a process that validates and documents that all implemented\ncitizen-to-government Internet applications have operationally achieved their required\nassurance level after release to production.\n\n\n\n\n32\n     OMB M-04-04, supra, Attachment A, at \xc2\xa7 2.3, Step 4.\n33\n     Id.\n\x0cPage 8 - The Commissioner\n\n\nSSA Did Not Periodically Reassess the Information System for 11 Citizen-to-\nGovernment Internet Applications to Ensure that Identity Authentication\nRequirements Continue to be Valid in Light of Technology Changes or Changes\nin Agency Business Processes\n\nWe determined that SSA did not conduct required periodic reassessments for 11 34 of\n22 citizen-to-government Internet applications. According to OMB, agencies must\nperiodically reassess information systems to ensure identity authentication requirements\ncontinue to be valid due to changes in technology and agency business processes.35 36\nOOG staff commented that it performs reassessments when there is a change in the\nInternet business process, but there has not been enough staff to conduct periodic\nassessments as part of cyclical reviews. Since the Agency did not reassess its citizen-\nto-government Internet applications consistently and timely, SSA may not have updated\nsecurity measures to address unknown security vulnerabilities. We recommend SSA\nconduct required periodic reassessments, when applicable, for citizen-to-government\nInternet applications to ensure identity authentication requirements continue to be valid\ndue to changes in technology or Agency business processes.\n\nCONCLUSION AND RECOMMENDATIONS\nSSA took steps to implement an eAuthentication process that included key elements\nneeded to create a strong, secure authentication protocol for Level 2 citizen-to-\ngovernment Internet applications. The Agency is developing an authentication protocol\nfor future Level 3 citizen-to-government Internet applications to meet Federal guidelines\nand standards. While certain aspects of SSA\xe2\x80\x99s eAuthentication process are generally\nconsistent with Federal guidelines, some areas require improvement. Therefore, we\nrecommend that SSA:\n\n1. Perform risk assessments and retain documentation that demonstrates the\n   completion of required ARAs for the four citizen-to-government Internet applications\n   identified in this report.\n\n\n\n\n34\n  The 11 citizen-to-government applications for which required periodic reassessments were not\nconducted are the Social Security Statement, Retirement Estimator, Retirement Application, Spouse\nApplication, Disability Application, Medicare-Only Application, Appeal Disability Report-3441, Change of\nAddress (PIN and Password), Change of Address (Knowledge Based Authentication), Direct Deposit (PIN\nand Password), and Application Status applications. After the completion of the fieldwork phase of our\nreview, the Agency removed the Social Security Statement Internet application from the production\nenvironment in March 2011 and authentication reassessments were completed for the Internet Change of\nAddress and Internet Direct Deposit citizen-to-government applications.\n35\n     OMB, M-04-04, supra, Attachment A at \xc2\xa7 2.3, Step 5.\n36\n  Id. Technology changes can occur because of new products and innovations. Business processes\ncan change because of new or obsolete functionality. Changes can also occur within processes or the\nprocessing environment that can have an impact on an application.\n\x0cPage 9 - The Commissioner\n\n\n2. Map identified risks to applicable assurance levels for the four citizen-to-government\n   Internet applications identified in this report, and retain documentation that\n   demonstrates mapping was completed.\n\n3. Reassess the three Level 3 applications identified in this review, and select an\n   authentication technology based on the NIST eAuthentication technical guidance.\n\n4. Continue to develop and implement the eA system or an appropriate authentication\n   protocol to help secure the Agency\xe2\x80\x99s future Level 3 citizen-to-government Internet\n   applications.\n\n5. Establish a process that validates and documents that all implemented citizen-to-\n   government Internet applications have operationally achieved their required\n   assurance level after release to production.\n\n6. Conduct required periodic reassessments, when applicable, for citizen-to-\n   government Internet applications to ensure identity authentication requirements\n   continue to be valid in light of changes in technology or Agency business processes.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations. See Appendix D for the Agency\xe2\x80\x99s comments.\n\n\n\n\n                                         Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Social Security Administration Citizen-to-Government Internet\n             Applications\nAPPENDIX C \xe2\x80\x93 Background, Scope, and Methodology\nAPPENDIX D \xe2\x80\x93 Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                           Appendix A\n\nAcronyms\n ARA               Authentication Risk Assessment\n AW                Authentication Workgroup\n eA                Electronic Authentication System\n eAuthentication   Electronic Authentication\n KBA               Knowledge Based Authentication\n NIST              National Institute of Standards and Technology\n OIG               Office of the Inspector General\n OMB               Office of Management and Budget\n OOG               Office of Open Government\n PII               Personally Identifiable Information\n SP                Special Publication\n SSA               Social Security Administration\n\x0c                                                                                 Appendix B\n\nSocial Security Administration Citizen-to-\nGovernment Internet Applications\n                                                 Last Date         Office of Management and\n                 Application\n                                                 Assessed         Budget Authentication Level\n    Social Security Statement                   02/11/2005                    Level 3 1\n    Spanish Retirement Estimator              New Application                 Level 2\n    Retirement Estimator                        10/13/2005                    Level 2\n    Retirement Application                      01/16/2008                    Level 2\n    Spouse Application                          01/16/2008                    Level 2\n    Disability Application                      01/16/2008                    Level 2\n    Medicare-only Application                   01/16/2008                    Level 2\n    Revised Adult Disability Report\xe2\x80\x93i3368       06/02/2009                    Level 2\n    Child Disability Report-3820\n    Appeal Disability Report-3441               03/06/2007                    Level 2\n    Proof of Income Letter                      06/01/2010                    Level 2\n    Check Your Benefits                         07/02/2009                    Level 2\n    Change of Address (PIN and Password)        06/09/2011                    Level 2\n    Change of Address (Knowledge Based          02/13/2005                    Level 2\n    Authentication)\n    Direct Deposit (PIN and Password)           06/10/2011                    Level 2\n    Medicare Replacement Card\n    i1020 (Applicant and 3rd Party)             03/23/2011                    Level 2\n    Replacement 1099\n    Application Status                          01/10/2007                    Level 2\n    Special Notice Option                       11/10/2009                    Level 2\n    iAppointment                                06/04/2010                    Level 1\n    Public Fraud Reporting Form                 06/15/2011                    Level 1\n\n\n\n1\n After our fieldwork ended, SSA removed the Social Security Statement Internet application from the\nproduction environment in March 2011 and completed authentication risk reassessments for the Internet\nChange of Address and Internet Direct Deposit citizen-to-government applications. Both reassessed\napplications are now Level 2 applications. Furthermore, an ARA for the Public Fraud Reporting Form\napplication was completed and SSA found the authentication level for this application is Level 1.\n\x0c                                                                      Appendix C\n\nBackground, Scope, and Methodology\nBackground\nIn May 2008, the Office of Notice Improvement and Authentication and the\nAuthentication Workgroup initiated a detailed review of the Authentication Risk\nAssessment (ARA) process. Based on this review, the ARA process was changed. For\nexample, in July 2008, as part of the ARA process, the Office of Notice Improvement\nand Authentication began using the Electronic Risk Assessment tool that was created\nby the General Services Administration and Carnegie Mellon\xe2\x80\x99s Software Engineering\nInstitute.\n\nBefore July 2008 -- ARA Process\n\n\xe2\x80\xa2   A group of key stakeholders met to review the proposed business processes.\n\xe2\x80\xa2   A qualitative approach to assess risk was used.\n\xe2\x80\xa2   Each stakeholder assessed risk differently based on varying interpretations of the\n    Office of Management and Budget Memorandum M-04-04 guidelines. The risk\n    assessment relied on a panel of stakeholders reaching a consensus on the impact\n    categories, but the panel often disagreed and could not reach consensus. In these\n    cases, the component with the highest assessment determined the overall\n    assurance level.\n\nAfter July 2008 -- ARA Process\n\n\xe2\x80\xa2   Risk assessments are conducted using the Electronic Risk Assessment tool.\n\xe2\x80\xa2   The Authentication Workgroup, in conjunction with the business sponsor, conducts\n    the ARA.\n\xe2\x80\xa2   A quantitative approach versus a qualitative approach is used to assess risk.\n\xe2\x80\xa2   The definitions of \xe2\x80\x9cLow,\xe2\x80\x9d \xe2\x80\x9cModerate,\xe2\x80\x9d and \xe2\x80\x9cHigh\xe2\x80\x9d impact were included to better align\n    with the Social Security Administration\xe2\x80\x99s (SSA) business processes.\n\xe2\x80\xa2   Examples of each risk category were included to provide context for voters.\n\xe2\x80\xa2   Voting results are averaged so that each stakeholder\xe2\x80\x99s vote is counted and each\n    stakeholder has equal input into the outcome of the assessment.\n\n\n\n\n                                           C-1\n\x0cScope and Methodology\nTo accomplish our objectives, we\n\n\xe2\x80\xa2   reviewed applicable Federal laws and regulations and applicable SSA policies and\n    procedures;\n\xe2\x80\xa2   interviewed Agency staff from the Office of Open Government;\n\xe2\x80\xa2   examined Privacy Impact Assessments;1 and\n\xe2\x80\xa2   examined ARAs conducted by the Office of Open Government.\n\nWe did not perform penetration testing of the Agency\xe2\x80\x99s citizen-to-government\napplications; therefore, we do not comment on the security of these Websites.\n\nWe performed our audit at SSA Headquarters from October 2010 to March 2011. We\nconducted this review in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the review to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our review objectives. We believe the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our review\nobjectives.\n\n\n\n\n1\n  A Privacy Impact Assessment (PIA) is an analysis of how information is handled: (i) to ensure handling\nconforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the\nrisks and effects of collecting, maintaining and disseminating information in identifiable form in an\nelectronic system, and (iii) to examine and evaluate protections and alternate processes for handling\ninformation to mitigate potential privacy risks. The Office of Management and Budget, M-03-22,\nGuidance for Implementing the Privacy Provisions of the E-Government Act of 2002, Attachment A,\nSection II.A.f, September 26, 2003.\n\n\n                                                    C-2\n\x0c                  Appendix D\n\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      August 25, 2011                                                         Refer To:   S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      Dean S. Landis /s/\n           Deputy Chief of Staff\n\nSubject:   Office of the Inspector General Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n           eAuthentication Process\xe2\x80\x9d (A-14-11-11115)--INFORMATION\n\n\n           Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. You may direct staff inquiries to\n           Frances Cord at (410) 966-5787.\n\n           Attachment\n\n\n\n\n                                                          D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S eAUTHENTICATION\nPROCESS\xe2\x80\x9d (A-14-11-11115)\n\nGENERAL COMMENT\n\nWe have greatly improved our Authentication Risk Assessment (ARA) process in recent years.\nWe use the Electronic Risk and Requirements Assessment (e-RA) tool, which is compliant with\nOffice of Management and Budget guidelines, to identify the risks associated with insufficient\nauthentication of users and to formally guide us through the assessment process. We also assess\nthe worst-case scenario and the likelihood that a scenario would happen. Finally, we initiated a\ndedicated eAuthentication workgroup to provide an overlying governance structure for the ARA\nprocess.\n\nRESPONSE TO RECOMMENDATIONS\n\nRecommendation 1\n\nPerform risk assessments and retain documentation that demonstrates the completion of required\nARAs for the four citizen-to-government Internet applications identified in this report.\n\nResponse\n\nWe agree that there are three applications in need of risk assessments. We are planning to\nconduct the required ARAs for Medicare Replacement Card, Replacement 1099, and Child\nDisability Report. After conducting the ARA on the OIG Public Fraud Reporting Form\napplication, we determined it does not require authentication because there is no applicable level\nof risk. We provided documentation to OIG supporting this determination on July 13, 2011.\n\nRecommendation 2\n\nMap identified risks to applicable assurance levels for the four citizen-to-government Internet\napplications identified in this report, and retain documentation that demonstrates mapping was\ncompleted.\n\nResponse\n\nWe agree. We will continue our practice of mapping an application as part of our assessment.\nWhen we conduct the ARA for Medicare Replacement Card, Replacement 1099, and Child\nDisability Report, we will map the identified risks as part of the process.\n\n\n\n\n                                               D-2\n\x0cRecommendation 3\n\nReassess the three Level 3 applications identified in this review, and select an authentication\ntechnology based on the National Institute of Standards and Technology (NIST) eAuthentication\ntechnical guidance.\n\nResponse\n\nWe agree. Using the e-RA tool, we completed our reassessment of the Change of Address and\nDirect Deposit applications and determined they are at a Level 2. The third application, Social\nSecurity Statement, is no longer in production. The business process for the upcoming Online\nStatement application is complete, and we determined the application is at a Level 2. We\nproperly documented the authentication assessment for all three applications.\n\nWe consider this recommendation closed for tracking purposes.\n\nRecommendation 4\n\nContinue to develop and implement the Citizen Authentication Initiative or an appropriate\nauthentication protocol to help secure the Agency\xe2\x80\x99s future Level 3 citizen-to-government\nInternet applications.\n\nResponse\n\nWe agree. Currently, we do not have any Level 3 citizen-to-government applications. We\ncontinue to work on this initiative and anticipate providing the appropriate Level 3 technology as\nan option for users who want extra security to be available in the future.\n\nRecommendation 5\n\nEstablish a process that validates and documents that all implemented citizen-to-government\nInternet applications have operationally achieved their required assurance level after release to\nproduction.\n\nResponse\n\nWe agree. We are developing a new authentication system that will provide support to access\neServices applications at a Level 2 or Level 3, which are consistent with the requirements of\nNIST 800-63. In addition, we will monitor the integrity of the new credentials to validate and\ndocument the required assurance levels.\n\n\n\n\n                                                D-3\n\x0cRecommendation 6\n\nConduct required periodic reassessments, when applicable, for citizen-to-government Internet\napplications to ensure identity authentication requirements continue to be valid in light of\nchanges in technology or agency business processes.\n\nResponse\n\nWe agree. We conduct ARA reassessments when we become aware of changes in the business\nprocess of an Internet application. In addition, we created a maintenance chart to perform\nperiodic reassessments as we move applications to our new electronic Authentication (eA)\nsystem.\n\n\n\n\n                                              D-4\n\x0c                                                                         Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n    Brian Karpe, Director, Information Technology Audit Division\n\n    Mary Ellen Moyer, Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n    Harold Hunter, Auditor in Charge\n\nFor additional copies of this report, please visit our Website http://oig.ssa.gov/ at or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Staff Assistant at\n(410) 965-4518. Refer to Common Identification Number A-14-11-11115.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"